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WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 
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DETAILED ACTION 

1. Claims 21-28 are pending. 

Claims 1-20 and 29-30 are cancelled. 

Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1.114, including the fee set forth 
in 37 CFR 1.17(e), was filed in this application after allowance or after an Office action 
under Ex Parte Quayle, 25 USPQ 74, 453 O.G. 213 (Comm'r Pat. 1935). Since this 
application is eligible for continued examination under 37 CFR 1.1 14, and the fee set forth 
in 37 CFR 1.17(e) has been timely paid, prosecution in this application has been reopened 
pursuant to 37 CFR 1.1 14. Applicant's submission filed on 5/14/2008 has been entered. 

Information Disclosure Statement 

3. The information disclosure statement (IDS) submitted on 5/14/2008 was filed after 
the mailing date of the Allowance on 2/ 1 5/2008. The submission is in compliance with the 
provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being 
considered by the examiner. 

Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S. C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth 
in section 102 of this title, if the differences between the subject matter sought to be patented and the prior 
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art are such that the subject matter as a whole would have been obvious at the time the invention was 
made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall 
not be negatived by the manner in which the invention was made. 

4. Claims 21-28 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Kouznetsov (US 6,973,577), and further in view of Gryaznov (US 7,065,790). 

As per claim 21: 

Kouznetsov discloses a system comprising: 
a network; (col. 3, lines 48-55) 

a security operation center coupled with the network; and (col .3, lines 41-45) 
one or more machines coupled with the network (col. 3, lines 46-47 and 55-59), each machine 
comprising a communication interface and a memory (col. 3, lines 60-67) including an execution area 
configured to perform operations comprising examining a set of instructions embodying an invoked 
application (col. 2, lines 47-48 and col.4, lines 12-14 and 28-47) [to identify the invoked application], 
obtaining application-specific intrusion criteria (col.2, lines 51-58 and col. 5, lines 9-12 and col. 7, lines 
1 -2), and monitoring network communications for the invoked application, after the examining and the 
obtaining, using the application-specific intrusion criteria to detect an intrusion, (col.2, lines 32-40 and 
col.4, lines 15-36) 

Kouznetsov discloses examining a set of instructions (or program code) embodying an invoked 
application where each occurrence of a specific event sequence characteristic of computer virus 
behavior and the application that performed the specific event sequence, are identified (col.2, lines 
53-59). However, did not clearly recite the claimed to identify the invoked application. 

Gryaznov discloses a method and system for providing computer malware names from 
multiple anti-virus scanners (col.1 , lines 6-9). Gryaznov discloses additional problem arises in that 
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different anti-virus programs may call different computer malwares the same name where providing 
just the name of a virus is not sufficient. Thus, a need arises for a technique by which multiple names 
of a given virus can be determined in a quick and automated fashion (col.1 , lines 52-61 ). Types of 
malware include computer viruses, Trojan horse programs, and other content (col. 3, lines 7-28). 
Gryaznov includes an anti-virus scanner to detect and identify viruses and other malwares (col. 4, 
lines 7-10 and col. 6, lines 5-15). The information identifying the computer malware may comprise a 
name of the computer malware and at least one of a computer virus, a computer worm, or Trojan 
horse program (col. 2, lines 7-15). Hence, Gryaznov reads on the claimed identifying the invoked 
application, obtaining application-specific intrusion criteria and monitoring network communications 
for the invoked application, after the examining and the obtaining, using the application-specific 
intrusion criteria to detect an intrusion (col.2, lines 1-55). 

Therefore, it would have been obvious for a person of ordinary skills in the art to combine the 
teachings of Kouznetsov with Gryaznov for identifying the invoked application in order to take 
corrective action after a technique by which multiple names of a given virus can be determined in a 
quick and automated fashion because different anti-virus programs may call different computer 
malwares the same name where providing just the name of a virus is not sufficient (Gryaznov-col.1 , 
lines 24-35 and 52-61). 

As per claim 22: See Kouznetsov on col.2, lines 53-67; discussing the application-specific 
intrusion criteria comprises a normal communication behavior threshold. 

As per claim 24: See Kouznetsov on col.4, lines 15-20 and 48-53; discussing monitoring network 
communications comprises monitoring network communications in a network intrusion detection 
system component running in an execution context with the invoked application. 
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As per claim 25: See Gryaznov col.1 , lines 32-36 and col.4, lines 32-41 ; discussing the operations 
further comprise providing an application-specific remedy for a detected intrusion. 
As per claim 26: See Gryaznov col.1 , lines 32-36 and col.4, lines 32-41 ; discussing providing an 
application-specific remedy comprises cutting at least a portion of the network communications for the 
invoked application. 

As per claim 27: See Kouznetsov on col.4, lines 25-30 and col.6, lines 50-60; discloses requesting 
the application-specific intrusion criteria from the local repository; requesting the application-specific 
intrusion criteria from the master repository if the application-specific intrusion criteria is unavailable in 
the local repository; receiving the application-specific intrusion criteria from the master repository if 
requested; and receiving the application-specific intrusion criteria from the local repository. 
As per claim 28: See Kouznetsov on col.5, lines 50-58; discussing examining the set of 
instructions comprises: applying a hash function to the set of instructions to generate a condensed 
representation; and comparing the condensed representation with existing condensed 
representations for known applications. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Leynna T. Truvan whose telephone number is (571) 272- 
3851. The examiner can normally be reached on Monday - Thursday (7:00 - 5:00PM). 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status information 
for unpublished applications is available through Private PAIR only. For more information 
about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866- 
217-9197 (toll-free). If you would like assistance from a USPTO Customer Service 
Representative or access to the automated information system, call 800-786-9199 (IN USA 
OR CANADA) or 571-272-1000. 

/L. T. T./ 

Examiner, Art Unit 2135 
/KIMYEN VU/ 

Supervisory Patent Examiner, Art Unit 2135 



